| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-26789: crypto: arm64/neonbs - fix out-of-bounds access on short input |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| crypto: arm64/neonbs - fix out-of-bounds access on short input |
| |
| The bit-sliced implementation of AES-CTR operates on blocks of 128 |
| bytes, and will fall back to the plain NEON version for tail blocks or |
| inputs that are shorter than 128 bytes to begin with. |
| |
| It will call straight into the plain NEON asm helper, which performs all |
| memory accesses in granules of 16 bytes (the size of a NEON register). |
| For this reason, the associated plain NEON glue code will copy inputs |
| shorter than 16 bytes into a temporary buffer, given that this is a rare |
| occurrence and it is not worth the effort to work around this in the asm |
| code. |
| |
| The fallback from the bit-sliced NEON version fails to take this into |
| account, potentially resulting in out-of-bounds accesses. So clone the |
| same workaround, and use a temp buffer for short in/outputs. |
| |
| The Linux kernel CVE team has assigned CVE-2024-26789 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.18 with commit fc074e130051015e39245a4241956ff122e2f465 and fixed in 6.1.81 with commit 034e2d70b5c7f578200ad09955aeb2aa65d1164a |
| Issue introduced in 5.18 with commit fc074e130051015e39245a4241956ff122e2f465 and fixed in 6.6.21 with commit 1291d278b5574819a7266568ce4c28bce9438705 |
| Issue introduced in 5.18 with commit fc074e130051015e39245a4241956ff122e2f465 and fixed in 6.7.9 with commit 9e8ecd4908b53941ab6f0f51584ab80c6c6606c4 |
| Issue introduced in 5.18 with commit fc074e130051015e39245a4241956ff122e2f465 and fixed in 6.8 with commit 1c0cf6d19690141002889d72622b90fc01562ce4 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-26789 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| arch/arm64/crypto/aes-neonbs-glue.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/034e2d70b5c7f578200ad09955aeb2aa65d1164a |
| https://git.kernel.org/stable/c/1291d278b5574819a7266568ce4c28bce9438705 |
| https://git.kernel.org/stable/c/9e8ecd4908b53941ab6f0f51584ab80c6c6606c4 |
| https://git.kernel.org/stable/c/1c0cf6d19690141002889d72622b90fc01562ce4 |
